CVE-2026-40404: Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
This is an elevation-of-privilege vulnerability in the Windows Universal Disk Format File System Driver (UDFS), a kernel-mode component present in Windows 10 and Windows 11. The vulnerability is reachable locally, meaning an attacker already has a low-privilege shell or process on the target host, and no additional authentication beyond that existing account is required. Successful exploitation gives the attacker full control over the host, reading arbitrary files, writing or corrupting data, and crashing or taking over services. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running affected Windows-based container images.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: CVE-2026-40404 is ingested from upstream advisory feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built Windows-based images. Any image whose OS layer falls within the affected version ranges for Windows 10 or Windows 11 is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 7.8 (HIGH) and weights findings against each customer organization's compliance policy to determine urgency and routing. Triage alerts are delivered to the inbox or ticketing integration configured for the relevant team within each customer environment.
AvailableFor customers whose images fall within the affected version ranges, a patched-image rebuild at the appropriate fix version (such as 10.0.14393.9234, 10.0.17763.8880, or 10.0.19044.7417 depending on the base image) becomes available on HarborGuard once the upstream patched layer is published. For customers with auto-remediation enabled, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; no administrative or elevated credentials are needed before exploitation.
- Victim interactionNot required
No action from another user or victim is needed to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and imposes no special environmental conditions or timing requirements.
Blast Radius
- Reads arbitrary files on the host, including credentials, certificates, and sensitive application data stored on disk.
- Writes or modifies files and system data, allowing the attacker to plant backdoors or corrupt application state.
- Crashes or takes over system services, causing denial of service or enabling further lateral movement within the host.
- Achieves full kernel-level control of the affected Windows host, removing all OS-enforced access boundaries.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-40404 is active across all customer environments that scan Windows-based container images, with matching occurring within minutes of CVE publication. Where compliance policy permits, auto-remediation customers receive a rebuilt image at the appropriate patched version, a regression-test run, and a pull request opened against affected workloads. For HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually can review flagged images in the HarborGuard dashboard and apply the relevant Microsoft patch version for their Windows 10 or Windows 11 base image. Until a rebuilt image is deployed, reducing the blast radius is possible by ensuring containers run under the least-privileged accounts available and by restricting which workloads can mount or interact with UDF-formatted volumes.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C